Date Published: 2022-02-21
QID 730362: Neo4j Database Server Affected by Apache Log4j Security Vulnerability
Neo4j is a graph database management system developed by Neo4j, Inc
Neo4j 4.2 versions prior to version 4.2.14
Neo4j 4.3 versions prior to version 4.3.10
Neo4j 4.4 versions prior to version 4.4.3
QID Detection Logic (Unauthenticated):
This QID checks vulnerable version of Neo4j Database server by extracting the version info from /browser/manifest.json endpoint.
Successful exploitation of the vulnerability may allow remote code execution and complete system compromise.
Vendor has released patch, for more information please refer to Neo4j Security AdvisoryWorkaround:
For environments where an upgrade might not be possible in the short term, the following steps should be taken:
Configuration change 1: Disable lookups through system properties which will help mitigate the issue to a great extent.
In Neo4j Database Server the configuration below can be set via conf/neo4j.conf settings:
Configuration change 2: After completing the first step, the following configuration changes are recommended in order to further reduce the exploitation paths of this vulnerability:
For Neo4j version 4.2:
For Neo4j versions 4.3 and 4.4:
- Neo4j Security Advisory - neo4j.com/security/log4j/
|Neo4j Security Advisory||neo4j.com/security/log4j/|